Access the Kubernetes Dashboard

Learn how to get access to the Kubernetes Dashboard.

Kubernetes proxy#

Besides checking the Kubernetes objects, there is one more thing that is good to verify, which is actually using the Dashboard.

In order to enter the installed Dashboard we need to use the kubectl proxy command (in the terminal at the end of this lesson):

Now, when we enter the address (provided right under the terminal) we should get a similar screen (most probably, before that, the browser will warn us about an insecure connection, but we can ignore it):

Login page to Kubernetes Dashboard
Login page to Kubernetes Dashboard

Get credentials to the Dashboard#

Alright, it’s working! But how do we log in? This would require more explanation. Kubernetes Dashboard is a very powerful tool because it can not only show what’s inside a cluster but also modify it. This particular feature might make it vulnerable to potential hackers. In fact, a number of companies have experienced the same, including Tesla’s cloud infrastructure which was used by hackers for Bitcoin mining. For this reason, we need to be extremely cautious when using the Kubernetes Dashboard in the production and development environment. However, we’re using a local cluster so we should be okay.

That’s why in order to enter its home page we need to provide a token. For that, we need to have a Kubernetes service account created with a specific ClusterRole bound to it, i.e.,  cluster-admin.

Luckily for us, together with this Helm release, a service account is created. It can be checked with kubectl, as follows:

List Kubernetes Service Accounts

The output will be as follows:

NAME                             SECRETS   AGE
dashboard-kubernetes-dashboard   1         22h
default                          1         31h

To grant the necessary permissions for it we need to create a ClusterRoleBinding:

Creating the ClusterRoleBinding

The output will be as follows:

clusterrolebinding.rbac.authorization.k8s.io/dashboard-kubernetes-dashboard created

And to get the token, first we need to get a Kubernetes Secret name that is linked to the dashboard-kubernetes-dashboard service account, as below:

Describing the Kubernetes service account

The output will be as follows:

Name:                dashboard-kubernetes-dashboard
Namespace:           monitoring
Labels:              app.kubernetes.io/instance=dashboard
                     app.kubernetes.io/managed-by=Helm
                     app.kubernetes.io/name=kubernetes-dashboard
                     app.kubernetes.io/version=2.4.0
                     helm.sh/chart=kubernetes-dashboard-5.0.4
Annotations:         meta.helm.sh/release-name: dashboard
                     meta.helm.sh/release-namespace: monitoring
Image pull secrets:  <none>
Mountable secrets:   dashboard-kubernetes-dashboard-token-btsp4
Tokens:              dashboard-kubernetes-dashboard-token-btsp4
Events:              <none>

It’s listed as Mountable secrets and in this case, it is called dashboard-kubernetes-dashboard-token-btsp4. To get the value of the token we will  run the kubectl describe secret command:

Describing the Kubernetes Secret

The output will be as follows:

Name:         dashboard-kubernetes-dashboard-token-btsp4
Namespace:    monitoring
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-kubernetes-dashboard
              kubernetes.io/service-account.uid: f2fa8ba3-7051-429a-8e2c-70c77d6d2aad

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  10 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IllDUEJBZEhBR0NvdG54YlZ0WG9VdXBhNHZNaDV3UlJObUUtOU9KV0haNlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtb25pdG9yaW5nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRhc2hib2FyZC1rdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1idHNwNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkYXNoYm9hcmQta3ViZXJuZXRlcy1kYXNoYm9hcmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmMmZhOGJhMy03MDUxLTQyOWEtOGUyYy03MGM3N2Q2ZDJhYWQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bW9uaXRvcmluZzpkYXNoYm9hcmQta3ViZXJuZXRlcy1kYXNoYm9hcmQifQ.n4v3-65KA0zSnzRFL_UuRKfOahX3fPsIjtx5X66tEpKBujpKdAkmdZUntGJUzYH-IqHfn41Q8vuMaP2NB9bTrfXIuMunEcN4lAhkX5jpyKEvfXhJIS5CgB8HQMEc4N6eq8F2kEH7foesCYOJmstAA4cKSmttoWkLErq3wyeJMD8aroGlvwP3weOKYn0I7LzwqKrlwP35SyWULQWE-6y8uwiIONoOoi9_T5LQhUxP8B4ewOnmOVHGH6sjOg2YYjVpnqjDHOS7eNquiUn-YH_jkuC24y3c8Mvb8iI0Ag6UIugZXtkkmiMiFPY3LOdA7Ov6V3QE989i7Xt7EEaVDe15mA

The last position is our token. Copy and paste it into the dashboard’s login page and click “Sign In.”

Overivew page of a default Kubernates namespace
Overivew page of a default Kubernates namespace

Next, navigate to the monitoring namespace located at the top of the screen, as shown below:

Overview page of a monitoring Kubernetes namespace
Overview page of a monitoring Kubernetes namespace

We can see that everything is working!

Port forwarding#

The kubectl proxy command mentioned at the beginning of this lesson enabled us to expose the dashboard over the Internet.

If we are working locally there is another approach. Instead of a proxy command, we can use kubectl port-forward:

Set up port-forwarding for a Kubernetes Dashboard Service

The output will be as follows:

Forwarding from 127.0.0.1:443 -> 443
Forwarding from [::1]:8443 -> 443

To enter the dashboard we would need to use the http://localhost:443 address.

Install the Helm Chart

Setting Values during Installation